From: | Josh Berkus <josh(at)agliodbs(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Cc: | "Greg Sabino Mullane" <greg(at)turnstep(dot)com> |
Subject: | Re: Including PL/PgSQL by default |
Date: | 2008-02-21 17:54:14 |
Message-ID: | 200802210954.15159.josh@agliodbs.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom,
> > I grow weary of repeating this: it's not about resource consumption, nor
> > about potential security holes in plpgsql itself. It's about handing
> > attackers the capability to further exploit *other* security holes.
>
> Well, without specific examples, I'm not sure I understand what plpgsql
> buys you that you could not do other ways (e.g. generate_series() for
> looping).
I have to agree with Greg here: I don't see what significant new security
issues PL/pgSQL opens up. Certainly including PL/perl or PL/sh would, but
PL/pgSQL?
One of the reasons we advertise to use PostgreSQL is our ability to do
sophisticated backend database things, which other OSDBs don't have.
I agree that there should be some way to disable PL/pgSQL for "locked down"
installations, but I think the majority of users want it to just be there.
--
Josh Berkus
PostgreSQL @ Sun
San Francisco
From | Date | Subject | |
---|---|---|---|
Next Message | Joshua D. Drake | 2008-02-21 17:55:35 | Re: Including PL/PgSQL by default |
Previous Message | Mark Woodward | 2008-02-21 17:53:08 | Re: Permanent settings |